The European Union's attempt to reform its electronic identification and trust services - a package of laws better known as eIDAS 2.0 - contains legislation that poses a grave threat to online privacy and security.
An article buried deep in the draft text of the bill would force web browsers to place total trust in certificate authorities that have been approved by EU governments.
Basically, everyone who believes in a free and safe internet is speaking out against eIDAS. The unintended consequences of the bill are so great that Mozilla recently shared an open letter co-signed by a raft of internet companies concerned that eIDAS will make the internet less secure.
Earlier this month, hundreds of cyber security experts called for a rethink of the new laws, arguing that eIDAS will leave the internet without essential technological safeguards.
These articles mandate that web browsers recognize two new procedures through which websites can apply for authentication certificates - referred to in the bill as qualified website authentication certificates.
Authentication certificates are used to prove the identity of websites and other objects in cyberspace.
The onus is on the browser to recognize certificates and keys from trusted authorities, and to refuse to recognize certificates from issuers they can't trust.
Articles 45 and 45a would force existing certificate authorities to go through a yearly evaluation by a conformity assessment body before they are added to the EU trust list and allowed to issue QWACs.
Under these articles, browsers and client vendors will also have a legal requirement to add EU-government-approved root certificate authorities to their root stores.
Under the new laws, browsers would also be unable to implement their own security controls on state-sanctioned certificate authorities beyond a suite of existing, pre-approved controls set out by the EU's IT standards body: the European Telecommunications Standards Institute.
If web browsers became concerned that certificates from an EU-approved authority are being misused, they would be impotent to take countermeasures and distrust the QWACs in question.
Under eIDAS, browsers will be less able to hold certificate authorities accountable, removing a vital check that many citizens rely on to keep the internet secure.
Since certificate authorities approved by one member state will be recognized across the entire EU, a mistake by one EU member state would affect internet users across the bloc.
In many ways, the furore over Article 45 harks back to a time when certificate authorities could collaborate with governments to spy on encrypted web traffic.
Since 2011, tightened privacy and security laws have prevented this from happening - and campaigners had hoped that this practice was long dead. Yet eIDAS legislation threatens to roll back internet security by over a decade, erasing all the gains privacy advocates and citizens have fought for since 2011.
Root certificates assure web browsers that the cryptographic keys used to authenticate a website's content belong to who they say they belong to.
Certificate owners can intercept the web traffic of internet users by replacing cryptographic keys with their own.
Under the proposed Article 45, through the assistance of a friendly state-backed certificate authority, EU member states would theoretically be able to insert new root certificates at will.
Even in the case of such abuse, Article 45 contains no provision to rescind rogue certificate authorities without the agreement of the issuing country.
eIDAS threatens to undermine website independence and security and make the internet a less safe, less private place.
This Cyber News was published on www.helpnetsecurity.com. Publication date: Tue, 12 Dec 2023 05:58:11 +0000